[Dev] [consensus due 10-24-16] Features vs. Privacy in nonprism repo

Luke g4jc at openmailbox.org
Tue Oct 4 00:25:35 GMT 2016

> Hello,
> As many of you know there were various hardening patches to IceWeasel
> and IceDove recently. These patches were done by myself and gleaned
> from other reliable sources such as TBB and PrivacyTools.io[1], as
> well as consulting the Mozilla wiki.
> Unfortunately, it has caused breakage on some websites[2][3] and
> degraded user experience. This is to be expected, as the web becomes
> less privacy-friendly, and more centralized/data-centric.
> A quick run down of notable patches[4]:
> 1) Disable Telemetry for good (it was previously storing all the
> telemetry data and probing your OS ever 2 minutes or so, including
> open tabs and websites for 'analytical purposes')
> 2) Disable Balrog/AUS5, Mozilla's new non-transparent remote update
> mechanism that fingerprints the user.
> 3) Disable Facial Recognition, Speech Recognition, and Virtual Reality
> API.
> 4) Disable various data leaks and remote updates, attempt to
> completely stop Google from being queried and downloading their
> "safe-browsing" list for every page you visit.
> 5) Stop IP leaks caused by WebRTC, WebSockets, and Captive Portal
> Detection.
> 6) Disable DOM Storage due to many privacy concerns and it being off
> in all modern versions of TBB.
> 7) Disable weak hash and broken SSL implementation which do not
> prevent eaves droppers from reading the page.
> _- So this puts the nonprism projects at a crossroads. Do we want to
> favour accessibility and "features" over "privacy"?_
> From my personal opinion, nonprism should provide security and privacy
> by default. Users can choose to opt-out of nonprism if they wish. This
> is easily done by A) not using nonprism, or B) using about:config
> and/or user.js to override the settings.
> Meanwhile, some users have questioned why nonprism is not on by
> default[5], and I think this is a valid point from a security
> standpoint. Users may be using Parabola under the impression they are
> experiencing the safest possible defaults, and this is currently not
> the case.
> 1. https://www.privacytools.io/#about_config
> 2. https://labs.parabola.nu/issues/1113
> 3. https://labs.parabola.nu/issues/1114
> 4.
> https://git.parabola.nu/abslibre.git/tree/nonprism/iceweasel/vendor.js
> /
> https://git.parabola.nu/abslibre.git/plain/nonprism-testing/iceweasel/vendor.js
> 5. https://labs.parabola.nu/issues/1093#note-3
> Now that everyone is aware of the issues, please discuss. I do not
> feel [nonprism] should become "privacy-lite" and libre become "no
> protection at all".
> Luke
> _______________________________________________
> Dev mailing list
> Dev at lists.parabola.nu
> https://lists.parabola.nu/mailman/listinfo/dev

I have helped Emulatorman add a post-install notice to nonprism packages
to notify users of hardening and a link to this thread.
Also I forgot to mention a consensus cut off date. Please reach
consensus by October 24th 2016.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20161003/e012ddf6/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20161003/e012ddf6/attachment.sig>

More information about the Dev mailing list